How to Counter Insider Threats in the Software Supply Chain
Recent events, including the SolarWinds hack and President Biden’s cybersecurity executive order, have prompted investments in software supply chain security. Established vendors and startups are joining the fight as organizations start thinking about the technologies needed to meet this security challenge. One particular risk that is often overlooked, however, is the human part of the equation: insider threats.
Traditional insider threats along the supply chain
The risks associated with insider threats increase as the software supply chain extends to partners, third-party contractors, and independents. Once data and users outgrow an organization’s development and support teams, they become harder to control. Checking third-party security measures is therefore essential, but not always easy.
Many large outsourcing companies have insider threat programs because they operate at a scale where such countermeasures are a cost of doing business. Details of the company’s insider threat program and other internal security measures should be part of customer due diligence and contract negotiations. Yet even with contractual stipulations in place, it is difficult for customers to verify a vendor’s security practices in action.
Verification of small businesses, sole proprietors and freelancers also presents challenges. If a company is looking for contractors through a third-party recruitment company, they can still ask for background investigations, but these will only reveal a crime in the company’s or company’s past. nobody. Organizations should check their vendors’ customer references, but these may not be extensive either. Feel free to use back-channel referrals to verify the quality of a business.
However, preventing insider threats in a software supply chain requires more than partner agreements and employee training. One option is Supply Chain Tiers for Software Artifacts, a software supply chain integrity protection framework based on Google’s Binary Authorization Platform for Borg (BAB). Google uses BAB as an internal check of deployment time enforcement to review software authorization and configurations. Organizations can also use this tool to reduce internal risks.
Geopolitical Effects on Startups and Established Companies
Events in Ukraine – a hotbed of innovative engineering talent – remind us that geopolitical conflicts also affect software supply chain security. Suppose the employees of a company or its suppliers and their families are in danger. The concern of employees in the affected area is paramount – it is only human. However, it is also important to implement measures to secure data and intellectual property, such as software code and documentation that might be accessible from the conflict zone.
Organizations should ask partners or vendors for their Business Continuity Plans (COOPs) for such black swan events. For example, suppose an organization relies on GitHub or GitLab for code repositories and collaboration. Processes should be in place to secure user accounts in relevant areas. Vendors and suppliers should also hold COOP exercises to keep employees and partners informed of the process.
Protests against open source software
Debates abound around the security of open source software (OSS), especially with recent events in Ukraine. If an organization’s enterprise software has OSS dependencies, it should be aware of the people contributing to those projects. Recently, pro-Ukrainian sentiments were behind the sabotage of an NPM package, compounding security threats to the software supply chain.
As OSS facilitates a collaborative community, there are signs of an inflection point between OSS maintainers and for-profit corporations that use OSS as the basis for critical internal software and software they sell to customers. Organizations need to strengthen their open source programs, as well as the teams that provide governance and support for open source tools. To do this, organizations must, for example, dedicate staff to raising awareness of the OSS community and treating OSS integration as a software supply chain security best practice.
The “Great Resignation” hits top vendor developers and engineers
Many third-party vendors are feeling the effect of the “big quit”. Organizations should ensure that their suppliers have processes in place that prevent departing employees from taking source code or documents with them to their next job.
Ensure partners have a documented and auditable offshoring process for their developers and other technical staff. Likewise, they should ask departing employees about training, such as secure coding and other security practices they taught current employees during onboarding. Large outsourcing companies have the resources to manage the onboarding and departure of programmers and engineers, but smaller providers, such as regional professional services firms, may not have formal processes.
As software supply chain security captures the attention of the cybersecurity and investment communities, companies must not lose sight of the main rule of security: people are the weakest link. As new technologies will capture market attention, companies must consider the risk of insider threats and keep people at the center of their software supply chain strategies.